You Should Probably Change Your LastPass Master Password

Last Friday, the folks at LastPass, keepers of the password on all sorts of platforms, noticed “suspicious activity” on their network and decided to go ahead and shut down that noise down. (Thanks!) Wait, though, suspicious activity? What does that mean? According to LastPass, that means that l33t hax0rs (hackers) were able to grab “account email addresses, password reminders, server per user salts, and authentication hashes.” Yikes. Thankfully, they have found no evidence of user vault data being taken, which is awesome news, since that’s where all of your passwords for other websites are stored.

As a recap – LastPass was hacked on some level and the responsible party was able to gain some information from your account. The good news is that your actual passwords that LastPass stores were not compromised and you should be good.

With that said, LastPass is recommending (and prompting) that everyone change their master passwords (especially those weak ones like “12345” that you use for your luggage). LastPass will also now require users who login from a new device or IP to first verify accounts by email, unless they already have multifactor authentication enabled.

You do not need to change passwords on other sites, because again, your user vault data wasn’t taken.

You can read more about the “suspicious activity” at the source link below.

YOu need to set it up as a new code. ON Lastpass, select the “show barcode” option, and on google auth, go to the accounts and add a new one with the barcode scan option.

Ilya Kolodiychik

Thanks! That worked.

Jarred Sutherland

Yup! Same here.

John Davids

This is exactly the reason why using a cloud-based password vault is a really really bad idea. If you are going to put 100% of your life’s passwords in 1 place (still a really bad idea) at least use local software that doesn’t touch the internet, like KeyPass.

Why? Because it’s multi-factor authentication? Or because they encrypt everything?

John Davids

Those things + being open source and not touching the cloud.

CoolSilver

Well that sucks… I do use a yubikey multifactor though probably time to change passwords again anyway… which really sucks trying to remember.

JD

I don’t understand why anyone would think it smart to store their sensitive information over any kind of third party network connection… Even if your passwords are safe, compromising data like e-mail and password-reminder questions is going to put those who use redundant information at risk across all sites.

How well do you know the other end of sites you deal with on a daily basis? Sure the connection is HTTPS but that doesn’t mean anything if they’re storing data in plain text. At least LastPass is transparent about their system

Bman4000

What do you folks use for offline password management?

jimt

I use Msecure and lastpass

Eric

My trusty rolodex

jnt

I’ve been trying to figure this out as well. My Lastpass account has 5 pages worth of saved passwords, though. Some of those I don’t use any more. But I’d love to take it all offline. Most of my sites I use a rotation / variation of the same passwords, and simply remember. But there’s that chunk that I don’t remember…

Greyhame

Msecure

Lucy S.

I use SplashID Safe. They also have an app for your computer that you can sync with your phone so long as you are on the same wifi network. They offer cloud storage for an extra fee, but I don’t really want my passwords on a cloud server. I’ve been using SplashID for years now, really easy to use and can sync between my phone, tablet, and laptop.

Allyn K C

Same here, I’ve been using SplashID ever since my old Palm PDA. They do try to push users towards the cloud storage, but I don’t care for that, so keep all my passwords synced between my phone and my laptop. They also offer a USB dongle that carries the full app in it, I’ve been considering getting that and then uninstalling from my laptop.

Lucy S.

I started using SplashID when I got my first Apple iTouch lol It’s a solid app that’s been around for a while

cjlee89

KeePass synced with Google Drive.

Opie’s Purse

Offline use?!

cjlee89

Huh? You do not have to be connected to the internet to use your Google Drive files.

DanSan

my brain.

JPC776

This is why I just use “password” as my password for everything. That way I don’t have to store it and I never forget it 🙂

pseudoswede

Now I need to change the codes on my luggage and bike locks. Thanks, Droid Life.

John Jenness

Ha, their servers are “A bit overloaded” at the moment so you can’t do a password reset.

Jeff

See this is why I don’t use passwords..

yuitdyujtduyjy

SANCHEZ►✈☃☛❖☃☛❖

< Even if you follow a fitness routine and you often choose healthier foods, you may not be seeing the weight come off the way you hope. While there are plenty of other healthy accomplishments to celebrate on this journey, it can be frustrating to not see results when you step on the scale. Sound familiar? Chances are, one of these reasons is all that's standing in the way of your weight-loss goals. Everything is FREE here http://••►►SEE MORE INFO HREE ••►►/1

??????????????

FknTwizted

Glad I don’t have an account… Online password keeping is never as secure as offline.

Suicide_Note

True, but no passwords were compromised in this attack.

Todd J

I didn’t think hacking LastPass was even possible since it uses “local-only decryption”. From their site:

“All sensitive data is encrypted and decrypted locally before syncing with LastPass. Your key never leaves your device, and is never shared with LastPass. Your data stays accessible only to you.”

jnt

If they can get into your account they can get to all of it. Fortunately Lastpass is also enabling that new device login in verification thing as well.

If someone can get in your house, they can steal everything. Having a weak password and not using the multiple authentication methods LastPass offers, is not LastPass’s fault.

jnt

Right, I agree 100% – I was simply answering Todd J’s comment about not thinking they could be hacked.

FknTwizted

“compromised”

Picaso86

This is why I don’t like those “password apps”. I rather keep track of everything on my own (offline).

trixnkix637

Good thing I cancelled my account weeks ago.

Suicide_Note

This happened Friday, but I’ve received no email from LastPass to change my password, let alone that there was even a breach of some sort.

GregDubya

Me neither. I use lastpass at home and at work!

Suicide_Note

And their servers are overloaded right now, so you can’t change your password if you try.

ynksbsbll2

It told me the servers were overloaded, but I got an email a minute later that my new password was in effect. YMMV though

jnt

Same here

Todd J

Here’s a quote from someone “in the field” on LastPass’ blog comment board (food for thought):

“…no you didn’t get the email yet, there’s a reason for that. It’s not that they’re not serious about security. Anyone who’ve [sic] worked on sending out massive amounts of email knows that if you send it too fast, you get blacklisted by mail servers. On the “why weren’t we notified on Friday” comments, anyone working in the field knows how time consuming it is to trace exactly what happens post incident. Last thing a company wants is to announce a breach and then apologize for wrong information afterwards. Look at Home Depot, they were investigating for months prior to notifying the public and they didn’t know they had a problem for much longer than that. …Also, if your master password is weak and don’t use two factor authentication, it’s no ones fault but your own.” -Eric @ 5:01pm 6/15/15

Edit: formatting

duke69111

I just got mine this evening.

Opie’s Purse

I received an email late last night. Would’ve been nice to have it sent sooner though.